Migrating a single ISA Server to Forefront TMG 2010 Step by Step

Gallery

Posted on by

Before start migrating…

  1. Record Fully qualified domain name (FQDN) of the computer running ISA Server.
  2. Record IP address, subnet mask, default gateway, and DNS server address of all the network adapters connected to the internal, external network (Internet) and perimeter (DMZ) network.
  3. Install ISA Service Pack 3 if migrating from ISA 2004
  4. Export complete ISA configuration
  5. A complete backup of ISA server for peace of mind.

To export the ISA Server configuration

  1. In the ISA Server Management console, in the tree, access the root node:

  2. On an ISA Server computer, expand Microsoft Internet Security and Acceleration Server, and then click ServerName.

  3. In the Tasks pane, click Export ISA Server Configuration to a File.

  4. In the Export Wizard, on the Export Preferences page, select the following options:

  5. Export confidential information. Specify a password of at least eight characters.

    When you export confidential information, the following are included in the exported data:

    clip_image001[1] Credentials that are used for alerts, logging, reports, report jobs, primary and backup routes, dial-up connections, and Web publishing.

    clip_image001[2] The shared secret that is specified if a RADIUS server is used.

    clip_image001[3] The preshared key that is specified for Internet Protocol security (IPsec) configuration.

    clip_image001[4] Confidential information is encrypted during the export process. The password is used to decrypt the information during the import process.

  6. On the Export File Location page, specify a name and location for the exported backup file. If you intend to upgrade this computer to Windows Server 2008 and install Forefront TMG on it, copy the exported file to a network location, so that it won’t be deleted before the migration process is complete.

  7. On the Apply Changes bar, click Apply. 

Important! To import the configuration into Forefront TMG, you must select the option Export confidential information, regardless of whether such information exists in the system. It is recommended that you export the entire configuration from the root node. The other option is to export only the specific nodes you want to migrate to Forefront TMG. Note that only the following nodes can be migrated individually: URLSet, DomainNameSet, ComputerSet, Computer, Subnet and AddressRange. If you are running any report in back ground you must stop it during export operation. You have to delete scheduled report that is running in ISA Server otherwise you will be prompted with error.

To move a machine certificate

To export a certificate, follow these steps:

  1. From the computer where the certificate was installed, start Microsoft Management Console (MMC).
  2. Add the Certificates snap-in to the console. When you are prompted, click My user account as the account to be managed.
  3. In the MMC console, double-click Certificates – Current User, double-click Personal, and then click Certificates.
  4. In the right pane, right-click the certificate that you want to export, point to All Tasks, and then click Export.
  5. When the Certificate Export Wizard starts, click Next.
  6. On the Export Private Key page, click Yes, export the private key.
    The private key is required for the encrypted messages to be read from the computer where the key will be imported.
  7. On the Export File Format page, leave the default settings, and then click Next.
  8. On the Password page, type password for the private key.
  9. On the File to Export page, type the path and the name for the exported certificate file, and then click Next.
    The file name has a .pfx extension. This file is the .pfx file that is imported to other computers.
  10. Click Finish.

To import a certificate, follow these steps:

  1. On the computer that the certificate is to be imported to, locate the .pfx file that was exported in the procedure described earlier in this article.
  2. Right-click the file, and then click Install PFX.
  3. When the Certificate Import Wizard starts, click Next.
  4. On the File to Import page, click Next.
  5. On the Password page, type the password for the private key in the Password box, and then click Next.
    You do not have to select the option to make the key exportable, because you already have an exported copy.
  6. On the Certificate Store page, click Automatically select the certificate store based on the type of certificate, and then click Next.
  7. Click Finish.

Installation of Operating Systems

Perform a clean installation of Windows 2008 (SP2 64 bit or R2) on the computers. This applies both to new computers and the computers on which ISA Server was installed. In place upgrades from a 32 bit Windows 2003 to a 64 bit Windows 2008 are not supported however you can upgrade a 64 bit Windows Server 2003 . Join TMG server in the Active Directory Domain with same FQDN. Import Certificates as mentioned above.

To run Forefront TMG 2010 installation

  1. Insert the Forefront TMG DVD into the DVD drive, or run autorun.hta from a shared network drive.

  2. On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must launch the setup page again, as described in step 1 of this procedure.

  3. On the main setup page, click Run Preparation Tool to launch the Preparation Tool.

  4. On the main setup page, click Run Installation wizard to launch the Forefront TMG Installation Wizard.

  5. On the Installation Type page, click the Forefront TMG services and Management button.

  6. On the Installation Path page, specify the Forefront TMG installation path.

  7. On the Define Internal Network page, click Add, click Add Adapter or IP addresses to the internal network , and then select the adapter which is connected to the main corporate network.

  8. On the Ready to Install the Program page, click Install.

  9. Installation will take a while. Click Finish once Done.

Important! DO NOT RUN initial Configuration as you are going to import complete configuration.

To import the configuration into Forefront TMG

  1. In the Forefront TMG Management console, in the tree, access the root node:

  2. On a Forefront TMG computer, expand Microsoft Forefront Threat Management Gateway, and then click ServerName.

  3. On an EMS computer, click Microsoft Forefront Threat Management Gateway.

  4. On the Tasks tab, click Import (Restore) configuration.

  5. In Look in, browse to the folder that contains the file you are importing.

  6. In the Select the Import File step, in File name, specify the file name of the .xml file you are importing.

  7. Specify the password required to decrypt the confidential information.

  8. On the Apply Changes bar, click Apply.

Further References

How to install and configure Forefront TMG 2010 –step by step

Forefront Threat Management Gateway (TMG) 2010

ISA Server

Share this on Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

20 thoughts on “Migrating a single ISA Server to Forefront TMG 2010 Step by Step

  1. Pingback: Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II « Information Technology Blog

  4. Hello, thank you for your reply much appreciated. That’s kind of what I thought. Keeping the same IP but our clients point to the FQDN rather than IP so bit of work but that’s fine.

    Like

    Reply

  5. Pingback: Forefront TMG 2010: Frequently Asked Questions (FAQ) | MicrosoftGURU

  6. There is a step missing when exporting ISA configuration settings. You need to make sure and select both export options, including “Export user permission setting”. Otherwise when you try to import it into TMG 2010, you will get:

    “The Forefront TMG configuration cannot be imported because it was exported from a computer running an earlier version of Forefront TMG without requesting inclusion of the user permission settings or confidential information. For upgrading, the configuration must be exported with the inclusion of these settings and the confidential information.”

    Self explanatory, just redo the export on ISA but check the other box too. Then you can import it into TMG.

    Like

    Reply

    • This is on test platform to guide users on migration. I hope users can find their own way after looking at this example. There is no book on TMG for dummies in entire the plannet.

      Thanks for letting me. If everything self explanatory than google will stop thier business. Raihan

      Like

      Reply

      • I have no idea what you are trying to say. Sorry.

        I was just trying to help users that view this posting that they need to check both boxes.

        Your article is excellent by the way. Curious though is this export/import from ISA to TMG a support scenario with Microsoft?

        Like

  7. What ’bout certificates ?!? Are them related to hostname ?!? If I move configuration to a new server with different name to test the platform in a parallel installation, how can I manage certificates ?!?
    Tnx.

    Like

    Reply

  8. Excellent article Raihan. I will be performing this in a few weeks for a client.

    Just to be clear: I can migrate the settings as described from ISA 2004 SP3 to TMG Standard SP1: Here is the scenario:

    My TMG server is on new hardware and will have a different FQDN to the ISA 2004 and a different ‘Internal’ IP address.

    Also is it possible to change the Internal LAN IP of the TMG once everything is built and configured. I have read somewhere that it can cause alot of problems?

    Will the Import of the config from ISA 2004 still work OK?

    Thanks for your help and keep up the good work

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.